Note to our readers
When preparing for this article, I came across a very thorough and valuable resource on insider threat. The Software Engineering Institute (SEI) at Carnegie Mellon in conjunction with CERT has a web page delineating their studies and efforts focused on their research and analysis on insider threat. Many of my comments were aided by the excellent work done by The CERT Insider Threat Center.
In today’s infosec environment, we often hear about advanced persistent threats from external attackers such as organized crime and nation states. However, security professionals also need to worry about the insider threat. This is the employee, contractor or sub-contractor with access to data, files and IT systems who may be disgruntled or feel “obligated” to steal valuable intellectual property. Their motivations could vary from politics to anger to pure greed.
This tip offers a broad summary of the key issues involved with insider threats and the best methods for insider threat detection. Enterprises might need to update some corporate policies and practices to better protect IT and intellectual property assets.
Categories of insider threat
According to Carnegie Mellon University's CERT Insider Threat Center, which offers comprehensive and authoritative research on insider threats, and my own personal experiences, the key categories of insider threat include the following:
- IT sabotage – IT systems are damaged or IT assets are stolen (e.g., stealing code, proprietary programs, etc.) for retribution.
- Motivated by business advantage – The employee or contractor steals corporate data in order to have an advantage at their new employer, normally a competitor, or the employee wants to gain an advantage for a new business they plan to start.
- Motivated by financial gain – Fraud is usually the crime involved, such as theft of Social Security numbers, credit card and CVV numbers, etc. with making money being the primary goal.
- Espionage – The primary motive is spying for another company or nation state and directing the stolen asset to the “enemy” for political gain; money is often involved in such cases, which brings us back to the financial gain motive.
How to identify high-risk employees
Why would anyone on the inside of an enterprise want to steal data, programs, code, sales strategies, etc.? The motives are usually driven by two primary visceral issues: ego and greed.
The best way to identify the high-risk employees is to look at their behavior. Are they hostile to their supervisors and co-workers? Do they clash with authority? Is their performance declining or are they tardy or absent more than usual? Is there any evidence of excessive activity at work or on the network outside normal work hours?
Also, for financial motivations, is the employee in serious debt? Are they abusing drugs? Are they driving a new, expensive car or flaunting new wealth with jewelry, expensive attire, or even expensive gadgets? These could be telltale signs that they are potentially an insider threat for theft of data.
Who poses the greatest risk? Insider threat psychology
The following types of employees, contractors, and sub-contractors should give enterprises cause for concern. Look for these characteristics as part of your employee risk assessment:
- Disgruntled employee - This is usually the employee who feels personally disrespected, possibly due to a missed pay raise that was expected or a negative encounter with supervisors over benefits, time off, demotions, transfers or other similar issues. In this instance, revenge is the employee’s motive.
- Profit-seeking employee – This is a simple motivation for many people. They work for a wage; however, by stealing information, they can make more money selling the stolen data to organized criminals or modifying the data to steal an identity. The information could be easy to access and steal for the employee, plus the theft can be rationalized because, as a malicious insider might say to himself, “The company won’t even miss it.” Motivations in such circumstances could include large financial or drug-related debt.
- An employee moving to a competitor or starting a business – For someone starting a business in the same field, the theft of customer lists, business plans, and even simple forms or templates can be tempting. Alternatively, imagine the employee leaving to work for a competitor. Perhaps the competitor has hinted that an exchange of information can be made for a better position when the employee comes on board.
- Believe they own the code or product – In this case, employees feel a sense of ownership over code they wrote or a product they developed. Therefore, they take the code for their future use or even for their next job.
According to the CERT Insider Threat Center, the employees that pose the greatest risk for insider threat/theft include technical staff such as engineers and scientists, managers, sales personnel and programmers. Employers should be especially focused on employees who have administrative rights or are specialized users of the IT systems deployed. These employees know the strengths and vulnerabilities of the systems. They could be a “disgruntled geek” that plants the logic bomb or damages data that causes problems that aren’t discovered until months or years after they have left.
How is the data stolen and moved?
Once the data, code or intellectual property is stolen, it must be moved to a place where the employee’s plans can be implemented. The following is a list of avenues used to extract the information for nefarious use:
- Email – For data that is less than 10 GB, email is the easiest method of transfer. The employee could use corporate email to send the information to a personal email account or an accomplice. Alternatively, webmail can be used to access a personal email account and then mail the data to another account. Of course, the data might need to be delivered to another target such as a nation state, so the email service can again be used to send the data directly to the target, or, via a personal email account, to the target nation state or organized criminal.
- File Transfer Protocol (FTP) – The stolen data can be uploaded to a FTP site set up by the employee or the target criminal. This is the best method for larger files.
- Removable media – With the ubiquity of portable media devices, this is the easiest physical means of moving data out of the employer’s systems. USB drives, CD/DVD burning, removable hard drives, memory cards, portable music players and even cell phones can be used to copy the information and carry it out of the office. Using physical storage in a theft means the information can be mailed to the employee or the bad guys.
- Mobile devices – Downloading information to a company-issued laptop or employee-owned smartphone, tablet or other mobile device is another means of copying data and making it mobile.
- Remote access – Accessing the corporate network remotely is another way to gain access to the network in order to steal information. During one of my CISO assignments, an employee set up his own SSH server at his house and was able to either remotely connect to the enterprise network or remotely connect to his server to move data, among other methods. He was one of the “geeks” at the company so he was technologically savvy and knew how to open ports, set up services, etc., for his deeds.
- Paper – Printing data and copying intellectual property is a fast, simple means of collecting information and readily moving it off site.
- Photos and screenshots – Cell phone cameras are abundant in the office. Unless blocked by system rules, simple screen shots can be made and then emailed or downloaded off-site.
Approaches such as instant messaging or Short Messaging Service (SMS) can be included in the above list. Don’t forget that encryption is easy to implement. Free tools such as TrueCrypt where data can be encrypted using Advanced Encryption Standard (AES), Serpent, Twofish or combinations thereof can prevent the employer from seeing what was being stolen.
How to respond to an increased risk of insider threat
The insider threat is a constant concern for enterprises. Employee human resource issues exist even in the best companies. However, management should be particularly alert to insider theft when layoffs are announced or transpiring. Similarly, what if several employees are moving to a competitor that is actively hiring or moving into the area? What if a group of contractors have completed their work and are about to depart? What about the disgruntled employees who are angry and feel their rights have been violated? These situations should all result in an alert stance toward insider threat.
Remember to establish a plan to manage the insider threat problem early. These steps should be taken long before the threat is on the doorstep:
- Ensure the organization complies with federal and state laws and regulations regarding privacy, personal rights, etc. For readers in the European Economic Union (EU), make sure to comply with EU privacy requirements.
- Involve executive management ,including the CEO, and other teams, including IT, information security, privacy, physical security, legal and human resources management. Make them aware of any looming or potential threats. (Perhaps have them read this article!)
- Determine the right time to include outside counsel, law enforcement, the FBI, Secret Service, etc. Whether these entities need to be involved sooner, later, or never depends on an organization’s contracts and if it is doing any federally sensitive work..
According to studies conducted by the CERT Insider Threat Center, the highest probability of insider theft/vandalism of IT systems is within 30 days of termination. Therefore, added focus, including using technical monitoring (e.g., logging) as well as behavioral monitoring, might be appropriate during that period.
Practical ways to address the risk of insider threat
As with most approaches to information security, layered defenses need to be implemented to reduce insider threats. Technically, high-risk employees can be monitored with advanced logging and log filtering. Activities to monitor include large files being transferred or emailed, emails to competitors, numerous emails and files being sent to their personal email address, and files being sent to countries or abnormal sites that don’t make sense.
For such monitoring, it must be reiterated that all activities need to comply with legal regulations.
Here is a list of other ideas in different areas of an organization that can be applied to protect organizational data from insider threats:
- Perform background checks on all potential employees, contractors, and sub-contractors. Be sure to include employment verification, criminal checks and developed references.
- Perform credit checks for any employee who will handle money, monetary instruments, high-value assets, etc. Frankly, with all the focus on our difficult economy, doing credit checks for new employees, contractors, subcontractors may be a useful vetting process to ensure new hires are not high risks because they desperately need money to cover their debts.
- Monitor for abnormal financial status changes.
- Institute periodic training for supervisors/managers and employees on insider threat concerns and ways to confidentially report suspect actions or individuals.
- Monitor and report disruptive or suspicious activity. Even during the hiring process, check the candidate’s background for any disruptive behavior.
- Anticipate and manage negative news or rumors that have the potential to impact the workplace.
- Deactivate computer access and remote access upon termination. Of note, some companies deactivate computer access immediately upon submittal of resignations in order to best protect the data and systems from harm.
- Develop an insider threat incident response plan. This could be part of your workplace violence plans in place.
- Report suspicious contact by outsiders on the workplace premises. This could be an organized criminal or espionage agent helping to collect/move data or funds.
- Clearly document and enforce policies, procedures and controls intended to prevent insider theft/threat.
- Enforce separation of duties and least privilege. Don’t allow access to information that the employee has no reason to view, obtain or download. Also, be sure financial tasks are separated, such as keeping access to accounts payable and accounts receivable separate and distinct. In simpler terms, an organization doesn’t want someone writing checks against bills they fraudulently wrote.
- Limit the use of portable media, or, in some environments, prohibit it.
- Remind employees - and have them sign an acknowledgement - that the intellectual properties they build, manage, use, etc. belong to the company and not to the employee.
- Audit critical practices (e.g. check or payment preparation and mailing) and audit any exception processes that could be manipulated to move funds.
- Implement and enforce an appropriate use policy for IT assets and data. Emphasize the appropriate handing and management of sensitive or valuable information.
- Technically limit access to only those files and data systems necessary for an employee to do their work.
- Minimize or limit administrative privileges and do not use shared usernames and passwords.
- Log, monitor and audit employee online actions. Again, always ensure the legality of such actions.
- Implement secure backup and recovery mechanisms and be certain that backups are not contaminated or corrupted.
- Block access to personal email, web mail and competitor email.
- Automatically flag mismatched data (e.g., payment to company X vs. invoice).
The challenge ahead
The bottom line is that insider threats can (and probably have) happened to every enterprise. With the increased global nature of business competition, it wouldn’t surprise me if this challenge increases, along with increased external cyberthreats to our IT systems. Organizations must always remain alert to the insider threat, including making plans for the inevitable risks to systems. Those organizations that are knowledgeable of the risks and are well prepared for such eventualities will benefit from knowing how to respond quickly to reduce or prevent the insider threat.
About the author:
Ernest N. Hayden (Ernie), CISSP, CEH, is an experienced information security professional and technology executive, providing thought leadership for more than 10 years in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, leadership, management and research. Based in Seattle, Hayden holds the title of “ManagingPrincipal – energy security” at Verizon’s Global Energy & Utilities practice, devoting much of his time to energy, utility and smart grid security on a global basis. Prior to his current position at Verizon, Hayden held roles as an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), and Seattle City Light. Hayden’s independent analysis may not always reflect positions held by Verizon. Read more of Hayden’s expert advice on his contributions to the Verizon Think Forward blog. Submit questions or comments for Ernie Hayden via email at email@example.com.